Rhdh: catalog-import function leaks credentials to frontend
CVE-2023-6944

5.7MEDIUM

Key Information:

Vendor

Red Hat
Status
Rhdh-1.1-rhel-9
Vendor
CVE Published:
4 January 2024

What is CVE-2023-6944?

A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

RHDH-1.1-RHEL-9 1.1-107.1724038966

References

https://access.redhat.com/errata/RHBA-2024:5869
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6944
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2255204
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Josephine Pfeiffer for reporting this issue.
JSON
.